Quantum protocol for cheat-sensitive weak coin flipping 
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We present a quantum protocol for the task of weak coin flipping. We find that, for one choice 
of parameters in the protocol, the maximum probability of a dishonest party winning the coin flip 
if the other party is honest is l/y/2. We also show that if parties restrict themselves to strategies 
wherein they cannot be caught cheating, their maximum probability of winning can be even smaller. 
As such, the protocol offers additional security in the form of cheat sensitivity. 

PACS numbers: 03.67.Dd 



In 1981 Blum|l|] introduced the following crypto- 
graphic problem: Alice and Bob have just divorced and 
are trying to determine who will keep the car. They 
agree to decide the issue by the flip of a coin, but they can 
only communicate by telephone. The question is whether 
there is a protocol that allows them to decide on a winner 
in such a way that both parties feel secure that the other 
cannot fix the outcome. 

Two-party protocols, of which this is an example, are 
some of the most problematic in classical cryptography. 
In fact, there are no two-party classical protocols whose 
security does not rely upon assumptions (many of which 
are threatened by quantum computation) about the com- 
plexity of a computational task. Kilian explains Q : 

[In a two-party protocol] both parties possess 
the entire transcript of the conversation that 
has taken place between them. [. . . ] Because 
of this knowledge symmetry condition there 
are impossibility proofs for seemingly trivial 
problems. Cryptographic protocols "cheat" 
by setting up situations in which A may de- 
termine exactly what B can infer about her 
data, from an information theoretic point of 
view, but does not know what he can easily 
(i.e. in probabilistic polynomial time) infer 
about her data. From an information the- 
oretic point of view, of course, nothing has 
been accomplished, (emphasis added) 

Conversely, when we move from classical to quantum 
cryptography, we find many two-party protocols whose 
security rests only upon the validity of quantum mechan- 
ics. Thus, from a quantum information-theoretic point 
of view, something significant can be accomplished. Fur- 
thermore, quantum protocols can naturally exhibit a type 
of security known as cheat sensitivity ||: whenever a 
party cheats above some threshold amount, he or she 
runs a risk of being caught. This can provide a strong 
deterrent to cheating. For instance, if two parties need 
to implement a protocol many times, they may stand to 



gain more from the preservation of the trust of the other 
party than they do from cheating in a single implementa- 
tion. Such considerations can be treated quantitatively 
by assigning numerical costs to the various possible re- 
sults. Given the striking contrasts between what can be 
accomplished in classical and quantum two-party proto- 
cols, the analysis of such protocols provides valuable in- 
sights into the differences between classical and quantum 
information theory. 

In this letter, we will be concerned with a crypto- 
graphic task called coin flipping. We begin by distin- 
guishing a strong and a weak form, both of which are 
adequate for Blum's original problem. 
Strong Coin Flipping (SCF): Alice and Bob engage in 
some number of rounds of communication, at the end 
of which each infers the outcome of the protocol to be 
either 0, 1, or fail. If both are honest then they agree on 
the outcome and find it to be or 1 with equal probabil- 
ity. Suppose, on the other hand, that one of the parties, 
X, is dishonest. In this situation, X cannot increase 
the probability of his/her opponent obtaining the out- 
come c to greater than 1/2 + e c x , for either c = or 
c = 1. The parameters e^, e\, e° B , e l B , which specify the 
degree to which the protocol resists biasing, must each 
be strictly less than 1/2. 

Weak Coin Flipping '(WCF): This is simply SCF without 
any constraints on e° A or e l B . The parameters €a = e\ 
and es = must be strictly less than 1/2 and specify 
the bias-resistance of the protocol. 

An SCF protocol ensures that neither party can fix the 
outcome to be or fix the outcome to be 1. This proto- 
col is appropriate when the parties do not know which 
outcome their opponent favors. By contrast, a WCF pro- 
tocol only ensures that Alice cannot fix the outcome to 
be 1 and that Bob cannot fix the outcome to be 0. This 
is appropriate if Alice and Bob are playing a game where 
Alice wins if the outcome is 1 and Bob wins if the out- 
come is 0. 

It has been shown by Lo and Chau [0 that a perfectly 
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bias-resistant SCF protocol, i.e. one having B = 0, is 
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impossible. Recently, Kitaev M has shown that it is also 
impossible to find an arbitrarily bias-resistant SCF pro- 
tocol, i.e. one for which e° AB — > in the limit that some 
security parameters go to infinity. The first partially bias- 
resistant SCF protocol, presented by Aharonov et aL@, 
had e° B A ~ 0.354 and e / < 0.414. We later showed that 
e Q A = e'g 1 jjj. If e c A = e c B for c = and 1, we call the 
protocol fair; if e x — e V for X — A and B, we call it bal- 
anced. A fair and balanced SCF protocol with e^ 1 ^ = | 
was recently discovered by Ambainis [|); the possibility 
of SCF with this degree of security also follows from our 
analysis ^] of quantum bit commitment. In fact, the re- 
sults of Ref. 0j imply the existence of a balanced SCF 
protocol with t A = a and e^ 1 = (3 for any pair of values 
a, (3 satisfying a + (3 = 1/2. 

Much less is known about WCF. Indeed, whether arbi- 
trarily bias-resistant WCF is possible or not remains an 
open question. Since an SCF protocol yields a WCF pro- 
tocol with parameters £a = ano - £ b = e B > the protocol 
of Ref. § yields a WCF protocol with e A + e B = 1/2. 
However, it is likely that by making a SCF protocol un- 
balanced one can lower the values of t\ and e B at the 
expense of e A and e B . Thus, one would expect there to 
exist a WCF protocol with better security than the one 
derived from Ref. This expectation is borne out by 
the results of this letter. Specifically, we demonstrate 
the existence of a three- round WCF protocol for any ca, 
cb satisfying (1/2 4- eyi)(l/2 + e B ) = 1/2. In particular, 
this implies that there exists a fair WCF protocol with 
e A ,B = (V2- l)/2~ 0.207. 

We also characterize the cheat sensitivity of this pro- 
tocol. Specifically, we consider each party's threshold for 
cheat sensitivity, defined as the maximum probability of 
winning that the party can achieve while ensuring that 
his or her probability of being caught cheating remains 
strictly zero. Since a party can achieve a probability 
of winning of 1/2 without cheating, the minimum possi- 
ble threshold is 1/2. The maximum possible threshold is 
simply the party's maximum probability of winning. The 
protocol is only said to be cheat-sensitive if the threshold 
is less than this maximum value. We find that for suit- 
ably chosen parameters, the protocol presented here can 
be cheat-sensitive against both parties simultaneously. 
Although no parameter choices yield a threshold of 1/2 
for both parties simultaneously, it is possible to obtain 
such a threshold for one of the parties. 
The protocol: 

Round 1. Alice prepares a pair of systems in a (typically 
entangled) state \ip) € Ti. A (g) H B , and sends system B to 
Bob. 

Round 2. Bob performs the measurement associated with 
the positive operator-valued measure (POVM) {Eq,Ei} 
on system P, and sends a classical bit b indicating the 
result to Alice. 

Round 3. If b = then Bob sends system B back 



to Alice, while if b = 1 then Alice sends system A 
to Bob. The party that receives the system then per- 
forms the measurement associated with the projection 
valued measure {\4>b) (V'&l, I ~ fyb) {ipb\} , where \ipb) = 
I®^/Ei\ip) /yj{ip\ I ® E b \tp). The different possible out- 
comes are: 

(i) 6 = 0, Alice finds \ipa) (ipo\; Bob wins. 

(ii) 6 = 0, Alice finds I — \ipo) (ipo\; Alice catches Bob 
cheating. 

(iii) 6 = 1, Bob finds (ipi\; Alice wins. 

(iv) 6=1, Bob finds / — \ipi) (ipi\; Bob catches Alice 
cheating. 

Notice that unlike other proposed two-party protocols, 
at no stage does this protocol require either party to 
make classical random choices. While this protocol is 
sufficient for WCF, it is insufficient for SCF because 
Bob can always choose to lose by simply announcing 
6=1. We will see that one can characterize an instance 
of the protocol completely by specifying the POVM ele- 
ment Eo and the reduced density operator on system B, 
p = Tta(\^} In order for the parties to have equal 
probabilities of winning when both are honest, the con- 
straint Tr (pEq) = 1/2 must be satisfied. This implies, in 
particular, that \tp b ) = y/2 (/ (g) y/Ei\ip)) . 

We proceed by listing the most important properties of 
the protocol. We then present several interesting specific 
choices of Eq and p. The proofs are left until the end. 
Property 1: Alice's maximum probability of winning is 

pmax = 2Tr ( pE 2^ 

Property 2: Alice's threshold for cheat sensitivity is 

pthresh 

A " 2Tr( P n (/ _ iSo) )' 

where Hx denotes the projector onto the support of X 
(the support of X is the set of eigenvectors of X associ- 
ated with non-zero eigenvalues). 

Property 3: Bob's maximum probability of winning is 

pr x = 2(Ti-v^) 2 , 

Property 4 : Bob's threshold for cheat sensitivity is 

rjthresh 

B - 2Amax (^n^) ' 

where A max (X) denotes the largest eigenvalue of X. 

An interesting family of protocols is defined by the 
choices p = x|0)(0| + (1 - x)\l)(l\ and E Q = ^|0)(0|, 
where 1/2 < x < 1. For these protocols, PjJ lax = 

1/2X, P| laX = X, P A h ™ sh = 1/2, P«" csh = p^x Thus 

Alice runs a risk of being caught whenever she cheats, 
while Bob can cheat up to the maximum amount possible 
without running any risk of being caught. This family 
achieves the trade-off 

pmaxpmax =1 / 2 ^ 
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It is easy to prove that this trade-off is optimal when 
E and p have support in a 2-d Hilbert space. In a 
preprint version of this letter, we conjectured that it was 
optimal for all higher dimensional Hilbert spaces as well. 
Subsequently, this was proven by Ambainis |lG| ] (who also 
independently discovered a WCF protocol achieving the 
trade-off of Eq.(|l|)). It is interesting to note that whereas 
the best known SCF protocols j|, |9| require a qutrit for 
their implementation, a qubit suffices here. 

A second interesting family of protocols is defined 
by the choices p = x\0)(0\ + (I - i)|1>(1| and E = 
(1 - 5j)|0)(0| + |1)(1|, with 1/2 < x < 1. For these, 

pmax _ 1 ^ 2X) pmax = 2 + 4.X 2 - 5x + 2 (1 -x) y/2x{2x - 1), 

pttresh = pma X) pthrcsh = i/ 2 . I n contrast with the 
previous example, Bob now runs a risk of being caught 
whenever he cheats, while Alice can cheat up to the max- 
imum amount possible without running any risk of being 
caug ht. The trade-off (0) is no longer attained however. 

It can be shown that no choice of Eq and p can give 
p^hrosh = pthrcsh = i/2 0. Nonetheless, it is possible 
to have pf™ sh < and p«»' csh < p™, i.e., cheat 

sensitivity against both parties simultaneously. This oc- 
curs, for example, when p = |i and E = ||0)(0| + 
i|l)(l|, since in this case Pjf ax = 5/8, pthresS = 1/2 , 
pmax _ i + V| _ 0.933, and p|»' csh = 2/3. In this case, 
if the parties restrict themselves to strategies wherein 
they cannot be caught cheating, their maximum proba- 
bility of winning is even less than l/y/2. This example 
demonstrates that cheat sensitivity is a useful form of 
security in its own right. 

Proof of Property 1: Assume that Bob is honest. 
Alice's most general cheating strategy is to prepare a 
state \4>') instead of the honest ■ (It is obvious from 
what follows that she gains no advantage by preparing 
a mixed state, and thus no advantage by implement- 
ing strategies wherein she performs measurements on 
A or entangles A with a system she keeps in her pos- 
session. Moreover, since she only submits A to Bob 
when 6 = 1, any operation on A she wishes to per- 
form can be done prior to Bob's announcement, and 
thus can be incorporated into the preparation.) The 
probability that Bob obtains the outcome b = 1 is 
(i/y\I <S> Ei , and the probability that Alice passes 
Bob's test for \ipi) when she resubmits system A is 

K^lh/4>| 2 , where |$) = (I® vW>)/ VWl 1 ® W>- 
Alice only wins the coin flip if the outcome is b = 1 
and she passes Bob's test. This occurs with probability 
P A = W\I®Ei KViWM 2 = \(ipi\I®VEl\Tp')\ 2 - We 
wish to find F™ = supi^n Pa- Thus, we must max- 
imize the overlap of a normalized vector \ip'), with the 
non-normalized vector J® i/E~i\ipi). Clearly, this is done 
by taking the two vectors parallel, so the optimal is 
|?// max ) = (j <g> V#T|V>i)) /y/(i/>i\I ® Ehfih). Using the 
definition of |"0i) an d applying some straightforward al- 
gebra, we find P^ ax = 2Tr(pP 2 ). As E\ = (I- E Q ) 2 we 



obtain P^ lax = 2Tr(,oP 2 ). ■ 
Proof of Property 2: We seek to determine Alice's 
maximum probability of winning assuming that her prob- 
ability of being caught cheating is strictly zero. Alice's 
most general cheating strategy is, as above, to prepare 
a pure state \ip') . She must pass Bob's test with proba- 
bility one, which implies KV'ilV'i)! 2 = 1; or W\) — \i>i) 
to within a phase factor. Multiplying both sides of this 

latter equation by I ® \fE\ (we use X^ 1 to denote 
the inverse of X on its support), and writing |Vi) and 
\tpi) in terms of and \ip) , we obtain I ® He 1 \tp') — 
a (I ® He x for some constant a. It follows that 
|V/) = a (I ® n El |^» + (3 |x) , where / ® n Bl |x> = 
and a,/3 are constrained to ensure that \ip') is normal- 
ized. Heuristically, Alice can pass Bob's test with prob- 
ability 1 whenever she submits a state \ip') that is indis- 
tinguishable from \ip) within the support of E\. Alice's 
probability of winning in this case is I ® E\ \ip') — 
\a\ (ip\ I ® E\ — I |a| 2 , which is maximized when 

[3 = and a = \/^{^\I®J\ El W>- This y ields P A hlcsh = 
l/2(V>|J®n Bl |V) =l/2Tr ( P u El ). m 
For proving properties 3 and 4, the following definition 
and lemma are useful. (For simplicity we ignore degener- 
acy and support issues which are easily incorporated but 
do not change any of our results.) 

Definition: Consider a vector \ip) £ TL A ® Tt B , a linear 
operator X on 7i A and a linear operator Y on Tt B . X 
and Y are said to be Schmidt equivalent under \tp) if the 
matrix elements of X in the eigenbasis of Ttb (\ip) (ip\) , 
are the same as the matrix elements of Y in the eigenbasis 
ofTr A (|^(^|). 

.Lemma 0: For a vector \<p) s TL A ® 7i B , and a positive 
operator S on Tt B , 

t± b ((i®Ve)\<p) (<p\ (/®Vp)) =V^d t V^, 

where uo = Tr b (\<p) , D is the operator on 7t A that 
is Schmidt equivalent to E under \(p) , and D T is the 
transpose of D with respect to the eigenbasis of u>. 
Proof of lemma: Suppose the bi-orthogonal de- 
composition of \<p) is \(p) = J2j \ e j) ® l/i) ■ 
Taking the trace in terms of the basis we 
find LHS = Y, jtk \f^k\ej){h\E\f j ){e k \. By def- 
inition, {fk\E\fj} = {e k \D\e 3 ) and (efc|D|e 3 -> 
i ; D T |efc) . With some re-ordering of terms, we obtain 
LHS = (E j ^Aj | Cj ) ( ej |)£> r (E fc ^|e fc ) (e fe |). Noting 
that and |ej) are the eigenvalues and eigenvectors 
of y/uj, we have the desired result. ■ 
Proof of Property 3: Assume that Alice is honest. 
Bob's most general cheating strategy can be implemented 
as follows. First, he performs a measurement on system 
B of a POVM {E' k } , which may have an arbitrary num- 
ber of outcomes. With probability p' k — I®E' k \tp) the 
outcome is k and the state of the total system is updated 
to \tp' k ) = (7® \f~Ek I 1 /")) / y/Pk- After the measurement, 
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Bob can perform a unitary transformation, U k , on sys- 
tem B, the nature of which depends on the outcome k 
that was recorded. Finally, he must decide whether to 
announce b = or 1 based on the result of the measure- 
ment, that is, he must decide on a set So of outcomes for 
which he will announce b = 0. 

Bob's probability of passing Alice's test given out- 
come k is \(ipa\I ® Uk |V4)| 2 > so ms probability of win- 
ning the coin flip is P B = J2kes Pk K^ol I ® U k \ip' k )\ 2 . 
We must maximize this with respect to variations 
in {E' k },{U k }, and S . By Uhlmann's theorem |§, 



su Pc/fc |(-0 O | J <g» C/ fc |-0fc)| 2 
Tr B (|^)(^|), < = 
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= ^(cto,^) , where a b = 
_ Tr B (|^)(^l) and F(w,t) = 
Tr| Y^y 7 ^ is the fidelity. Thus we need to compute 
P^ ax = snippy So J2 keSo F(a 0i p' k a' k f. Since the fi- 
delity squared is always positive, J2kes ^ ( a o>Pk a k) 2 — 
^2 k F (<To , p' k a' k ) 2 . This implies that the optimal So is 
the entire set of indices: no matter what the outcome k 
of Bob's measurement, he should announce bit 0. More- 
over, by the concavity of the fidelity squared |T~ 
have E k F(a ,p' k a' k ) 2 < F(oo, J2kPk a 'k) 2 =F(a ,a) 
where a = Trg (|^>) (ip\). This upper bound is satu- 
rated if Bob makes no measurement upon system B. 
Using the definition of j^o) and the lemma, we find 
that Co = 2y / o\D r \fa, where Do is Schmidt equiva- 
lent to E under . Thus, we can write P™ ax = 
F {2^foD T \fo , a) = F (2^/aD ^/a, a) 2 , where the sec- 
ond equality follows from the fact that X T and X have 
the same eigenvalues. By the isomorphism between TL A 
and H B induced by Schmidt equivalence under we 
have PJ? ax = F (2^/pEo^p, pf . Finally, by the defini- 
tion of the fidelity, we have P|? ax = 2(TrVpSo7) 2 - ■ 
Proof of Property 4-' We seek to determine Bob's max- 
imum probability of winning assuming that his probabil- 
ity of being caught cheating is strictly zero. The latter 
condition constrains Bob's most general cheating strat- 
egy, described above, to be such that he must always 
pass Alice's test whenever he announces the outcome 
b = 0. That is, we require that {E' k }, {Uk} and So be 
such that / ® U k W k ) = \ipo) for all k E S . The prob- 
ability that Bob wins the coin flip is simply ^2 k ^s P'k' 
so we seek to determine sup {Uh} ^ E ^ So (E fce s Pk) > 
where the optimization is subject to the above con- 
straint. We solve the optimization problem by es- 
tablishing an upper bound and demonstrating that 
it can be saturated. We begin by using the def- 
initions of \4>'k) and |V>o) to rewrite the constraint 

Tracing over B and 



2 (J <g> V^o) IV) M(/®V3> 

applying the lemma provided above, we obtain 
^/a(D' k ) 7 'i/a = 2p' k ^/aDoy/a, where D' k and Do are 
the Schmidt equivalent operators to E' k and Eq respec- 



equation as -V (/ ® Uk y/E' k ) 



tively. It follows that U a D' k U a = 2p' fc n (T A)n CT ,which, 
by the isomorphism between Tt A and 7i B induced by 
Schmidt equivalence under implies H p E k Tlp = 

2p' k HpEoIl p . Combining this with J2 keSo E' k < I, we ob- 
tain Xfces 2pJ £ IT p Fon p < n p , which in turn implies that 
EkeS P'k < V2A max (U p E a n p ) = l/2A max (B p F ) . The 
upper bound can be saturated while satisfying the con- 
straint if Bob measures the POVM, {E' , E[} , defined by 
E'o = n p F n p /A max (UpE ) , and announces b = when 

Thus, 

i/2A max (n p F ) ■ ■ 

The ordering of the authors on this paper was chosen 
by a coin flip implemented by a trusted third party. TR 
lost. 
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he obtains the outcome associated with E' Q IT 
Bob's threshold is P^™ sh 
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